openssh-8.4p1 dropped support for launchd in ssh-agent

[wcn3 (Bill Neubauer)]

Looking at the description of ​https://github.com/macports/macports-ports/commit/03c756a541a6e97dee5f2352129b5cd0b3108b67 it intended to drop support for a number of Apple-specific features that were now part of the upstream, but the launchd support for ssh-agent was also removed. The launchd functionality is not present upstream, and this makes ssh-agent no longer work correctly when started from launchd, which is necessary to work around the default ssh-agent in Catalina and above.

I've tested out a patch that restores this functionality.

[fhgwright (Fred Wright)]

It's not just "Catalina and above". The ssh-agent provided with some older OS versions has some sort of soft compatibility issue with some servers, resulting in a warning on every connection. This was easily fixed by using the MacPorts ssh-agent, but that has now stopped working.

It's probably a bug that the port doesn't supply the appropriate LaunchAgent file to cause this agent to be used normally, which is inconsistent with the usual behavior where MacPorts-installed tools take precedence over their Apple equivalents. If it did do that, this bug probably would have been noticed earlier.

The required LaunchAgent is easily derived from Apple's:

MacPro:~ fw$ diff /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist /Library/LaunchAgents/org.macports.ssh-agent.plist
6c6
< 	<string>org.openbsd.ssh-agent</string>
---
> 	<string>org.macports.ssh-agent</string>
9c9
< 		<string>/usr/bin/ssh-agent</string>
---
> 		<string>/opt/local/bin/ssh-agent</string>

This is on 10.9; I'm not sure how much it varies with the OS version.

[wcn3 (Bill Neubauer)]

My point about Catalina is that the method you mentioned for modifying the system's launch agent is no longer possible because of System Integrity Protection. Since you cannot stop the default agent from running, it's necessary to have the MacPorts SSH agent grab the socket to avoid having two competing agents.

[fhgwright (Fred Wright)]

What I posted above wasn't intended as a workaround for the current problem, but rather as a mention of an additional long-standing problem that's not limited to the latest version. It also isn't a "modification" of the system launch agent, but rather a recipe for deriving a new launch agent from the system version (note the different file names). I'm not sure if that runs afoul of SIP or not, but it's moot as long as the agent isn't able to run correctly from launchd at all.

There's never an issue with "two competing agents"; you can have as many agents running as you like (on different sockets). But the ssh client will only talk to the one whose socket is specified in SSH_AUTH_SOCK. In fact, you can always launch another agent via the traditional method of eval $(ssh-agent), but the resulting agent is effectively local to the Terminal window that launched it. The advantage of running it as a LaunchAgent is that you get one instance shared among all Terminal windows.

[wcn3 (Bill Neubauer)]

In 092dd0344ed7b154d11fbffe4d3229119c6f3841/macports-ports (master):

openssh: restore launchd support in ssh-agent

• update to revision 1
• restore partial contents of previously deleted patch

Closes: #61888